Crunch time for CMMC as November deadline looms
Gettyimages.com/ Orhan Turan
By
Nick Wakeman
Full implementation of the standard takes effect in a month. In the meantime, a new study shows a compliance gap that could lock unprepared contractors out of defense contracts while cyber vulnerabilities persist.
Full implementation of the Defense Department's new cybersecurity standard takes full effect on Nov. 1 and you’d think the GovCon industry would be ready for it after many years of drafts, deadlines and conversations that the GovCon industry would be ready.
But apparently no. A new study by Merrill Research found just 1% of defense contractors say they are fully prepared for assessments of their compliance with the Cybersecurity Maturity model Certification requirements.
CMMC lays out the framework for contractors to certify how they protect controlled unclassified information on their networks.
Merrill Research's 2025 finding shows a dip in confidence in CMMC preparedness and the firm cites that as a dangerous trend. This year’s State of the Defense Industrial Base Report was commissioned by CyberSheath.
Stay in the know — Washington Technology’s Insider Membership gives you unmatched access to breaking news, in-depth analysis, and insights that federal contractors can’t afford to miss. Join today for 50% off.
The report shows that while 69% of contractors claim DFARS compliance through self-assessment, only 30% have completed medium or high assessments to validate their actual security posture.
“The defense industrial base is running out of time,” said Emil Sayegh, CEO of CyberSheath. “Eighty thousand defense contractors need Level 2 certification, yet only 270 of these organizations currently hold final CMMC certificates.”
That shortfall in compliance could offer competitive advantage for those who have completed certifications.
“Contractors that aren’t prepared will be locked out of billions in DOD contracts while their competitors who invested in real compliance and cybersecurity capture the business,” Sayegh said.
The low level of compliance is also alarming because so many defense contractors have reported breaches. Merrill Research found that nine in 10 contractors have suffered financial, reputational or business losses due to cyber incidents.
Critical solutions are also under-deployed. The report found:
- 79% lack vulnerability management solutions
- 78% lack patch management solutions
- 74% lack data leakage protection
- 73% lack multi-factor authentication
“Our fourth wave of research shows that while awareness of CMMC has never been higher, true readiness remains alarmingly low,” said Dr. David M. Schneer, CEO of Merrill Research.
Download the full report here.